Enable TLS inspection to Inspect inbound TLS traffic from Azure Application Gateway to allow/deny with IDPS and Application rules

Implementation Effort: High

User Impact: Medium

Overview

Architect your inbound path so that Azure Application Gateway sits in front of Azure Firewall — Application Gateway terminates or forwards TLS traffic to the firewall’s AzureFirewallSubnet.

In your Azure Firewall Premium policy, enable TLS inspection, select the managed identity and CA certificate from Key Vault. As TLS connections arrive from the Application Gateway, Azure Firewall decrypts the traffic, inspects it against your IDPS signature set and Application Rule collections, re-encrypts the sessions, and forwards them to backend resources. This ensures that all ingress TLS traffic benefits from the same intrusion prevention and application-layer controls as other flows, providing end-to-end security enforcement.

Reference

• Azure Firewall Premium TLS inspection
• Deploy and configure Azure Firewall Premium
• Deploy and configure Enterprise CA certificates for Azure Firewall
• Zero-trust network for web applications with Azure Firewall and Application Gateway
• Azure Firewall and Application Gateway for virtual networks